NSS Data Security

One of the most important features of NSS is its flexible, yet powerful, security model. This security is integrated with eDirectory and offers comprehensive security management through command-line utilities, NetStorage, or the Novell Client. As mentioned earlier in this chapter, NSS operates in two modes, NetWare mode and Linux mode. NetWare mode requires that eDirectory user accounts be used to access NSS volumes. This allows for integration with eDirectory, and is the only way to provide for the advanced security capabilities described in this section. Linux mode refers to accessing NSS volumes using local user accounts. In this mode, you are limited to the traditional POSIX permissions seen with other Linux filesystems. Information about POSIX permissions can be found in Chapter 3, "Working with SUSE Linux Enterprise Server 9."

With an NSS filesystem in NetWare mode, you can implement two types of security tools in the filesystem, either together or separately, to protect your files:

Trustee rights These are equivalent to entry rights for eDirectory objects. Trustee rights enforce access control that defines the possible actions that can be taken with Volume, Folder, and File objects and who or what can perform those actions.
Attributes Attributes define the characteristics of individual Folder or File objects. Because attributes trump trustee rights, they control the activities of all users, regardless of which trustee rights are assigned.

Filesystem Trustee Rights

Filesystem trustee rights allow eDirectory users and groups to work with files and directories on NSS volumes in specific ways. Each right determines whether a user can do things such as see, read, change, rename, or delete the file or directory. NSS filesystem rights obey inheritance rules just like eDirectory rights. When rights are assigned to a file, they define a user's allowable actions for that file only. When rights are assigned to a directory, they affect a user's allowable actions on not only the directory itself but also everything stored within that directory.

Although filesystem rights are similar in nature to the eDirectory rights for objects and properties (described in Chapter 8, "Users and Network Security"), they are not the same thing. Filesystem rights are separate from eDirectory rights. They affect only how users work with files and directories. eDirectory rights affect how users work with other eDirectory objects.

There are eight filesystem trustee rights. You can assign any combination of those filesystem rights to a user or group, depending on how you want that user or group to work.

Table 11.2 describes the available filesystem rights and how they affect directory and file access.

Table 11.2. Filesystem Rights
FILESYSTEM RIGHT	ABBREVIATION	DESCRIPTION
Read	`r`	Directory: Allows the trustee to open and read files in the directory. File: Allows the trustee to open and read the file.
Write	`w`	Directory: Allows the trustee to open and write to (change) files in the directory. File: Allows the trustee to open and write to the file.
Create	`c`	Directory: Allows the trustee to create subdirectories and files in the directory. File: Allows the trustee to salvage the file if it was deleted.
Erase	`e`	Directory: Allows the trustee to delete the directory and its files and subdirectories. File: Allows the trustee to delete the file.
Modify	`m`	Directory: Allows the trustee to change the name, directory attributes, and file attributes of the directory and its files and subdirectories. File: Allows the trustee to change the file's name or file attributes.
File Scan	`f`	Directory: Allows the trustee to see the names of the files and subdirectories within the directory. File: Allows the trustee to see the name of the file.
Access Control	`a`	Directory: Allows the trustee to change the directory's IRF and trustee assignments. File: Allows the trustee to change the file's IRF and trustee assignments.
Supervisor	`s`	Directory: Grants the trustee all rights to the directory, its files, and its sub-directories. It cannot be blocked by an IRF. File: Grants the trustee all rights to the file. It cannot be blocked by an IRF.

NOTE

Trustee assignments are the only way to enforce access control on NSS volumes under Linux. Using the traditional Linux permission tools, such as chown or chgrp, will not affect access from eDirectory users. These tools should only be used when accessing Linux volumes in Linux mode.

INHERITING FILESYSTEM RIGHTS

Just like eDirectory rights, NSS filesystem rights can be inherited. This means that if you have filesystem rights to a parent directory, you can also inherit those rights and exercise them in any file and subdirectory within that directory. Inheritance keeps you from having to grant users filesystem rights at every level of the filesystem.

You can block inheritance by removing the right from the IRF of a file or subdirectory. As with directory objects, every directory and file has an inherited rights filter, specifying which filesystem rights can be inherited from a parent directory. By default, file and directory IRFs allow all rights to be inherited.

Inheritance can also be blocked by granting a new set of trustee rights to a subdirectory or file within the parent directory. As with the eDirectory rights, inherited and explicit filesystem rights are not cumulative. Explicit assignments replace the inherited rights from a parent directory.

FILESYSTEM SECURITY EQUIVALENCE

Security equivalence for NSS filesystem rights works the same way as security equivalence for eDirectory rights (explained in Chapter 8). You can assign one user to have the same eDirectory rights and filesystem rights as another user by using the Security Equal To Me tab in an object's properties page.

NOTE

Remember: You are still subject to the shortcomings of security equivalence as described in Chapter 8.

FILESYSTEM EFFECTIVE RIGHTS

Just as with eDirectory rights, determining which NSS filesystem rights a user can actually exercise in a file or directory can be confusing at first. A user's effective filesystem rights are the filesystem rights that the user can ultimately execute in a given directory or file. The user's effective rights to a directory or file are determined in one of two ways:

A users' inherited rights from a parent directory, minus any rights blocked by the subdirectory's (or file's) IRF
The sum of all rights granted to the user for that directory or file through direct trustee assignment and security equivalences to other users

WORKING WITH FILESYSTEM TRUSTEE RIGHTS

iManager can't yet take you into the NSS or NCP filesystem. You can assign rights at the volume level, but not at the directory or file level. Use NetStorage, the Novell Client, or the command-line rights utility to work with filesystem rights.

MANAGING RIGHTS WITH THE NOVELL CLIENT

To see or change a user's trustee assignments with the Novell Client, complete the following steps:

1.	From a workstation, log in to the server using the Novell Client. If necessary, map a drive to the NSS volume you would like to modify trustees on.
2.	Using a file manager, browse to the point in the filesystem, volume, folder, or file with which you want to work.
3.	Right-click the folder or file and select Properties, and then select the NetWare Rights tab.
4.	The Effective Rights box displays your effective rights to the selected object, as shown in Figure 11.7. The Trustees box contains all current trustee assignments on the current object. Figure 11.7. Working with filesystem trustee rights through the Novell Client.

You can make a user a trustee of a FileSystem object using the NetWare Rights tab of the Novell Client by doing the following:

1.	From the eDirectory tree view in the center of the page, locate and select the desired User object. Click Add to add the user as a trustee.
2.	In the Trustee box at the top of the page, check those explicit filesystem rights that you want to grant the user and click OK or apply.

If the user is already a trustee, simply highlight the appropriate User object in the Trustees box and perform step 2.

MANAGING TRUSTEES AT THE COMMAND LINE

To see or change a user's trustee assignments at the command line, you cannot use the normal Linux chown utility. Although this utility can manipulate the POSIX ownership for an NSS volume in Linux mode, it is unable to view or modify the extended trustee assignments available with NSS in NetWare mode. To adjust the NSS trustee assignments, you must use the rights command-line utility.

The rights utility can be used to view effective rights; view, modify and delete trustee assignments; and modify the inherited rights filter.

To view trustee assignments using the rights utility, execute the following command:

 rights f <File_Or_Directory> show

To view the effective rights of a particular eDirectory user, the following command may be used:

 rights f <File_Or_Directory> effective <Username>

Finally, to add or delete trustee assignments, the following commands can be used:

 rights f <File_Or_Directory> trustee <Username> rights f <File_Or_Directory> delete <Username>

For more information on the rights command, use rights -help.

NetStorage can also be used to adjust file and directory trustee assignments. This option is available through the properties of files and directories while logged in to NetStorage. For more information on NetStorage, see Chapter 12.

File and Directory Attributes

Another important NSS security tool for securing files and directories is attributes. Attributes are properties of NSS files and directories that control what can happen to those files or directories. Attributes, which are also called flags, are different from trustee rights in several ways:

Attributes are assigned directly to files and directories, whereas rights are assigned to users.
Attributes override rights. In other words, if a directory has the Read-Only attribute, you can't delete the directory even if you've been granted the Erase right.
Likewise, attributes don't grant rights. Just because a file has the Read-Write attribute doesn't mean you can write to it if you don't have the Write right.
Attributes affect all users, including the Admin user.
Attributes affect some aspects of the file that rights do not, such as determining whether the files in a directory can be purged immediately upon deletion.

Knowing these distinctions between NSS file attributes and trustee rights will help you better understand the behavior of the NSS filesystem.

There are twelve NSS attributes that apply to either files or directories. However, there are only four core attributes that are configurable using traditional POSIX utilities from a Linux terminal. These attributes are listed in Table 11.3.

Table 11.3. File and Directory Attributes
ATTRIBUTE	DESCRIPTION
Read-Only	Allows files to be opened and read, but not modified. Using some Linux-based utilities, like `vi`, it is possible to write changes to a read-only file if you have the proper trustee assignments. Directories use this attribute to allow listing of directory contents.
Read-Write	Allows files to be opened, read, and modified. Allows directory contents to be modified.
Execute	Marks a file as executable and allows execution of the file. Directories always have this attribute set to allow access to the directory itself.
Hidden	Hides the file or directory so that it is not listed by NCP-based clients, like the Windows File Manager, and can't be copied or deleted.

These four attributes can be used in combination with each other to produce several possible configurations of file attributes. Each combination of attributes can be assigned using the Linux utility chmod. This utility is used to assign file permissions on traditional Linux filesystems and file attributes on NSS.

On traditional Linux filesystems, you must specify the permissions for the user owner, group owner, and all other Linux users when assigning permissions with chmod. On an NSS volume, the permissions are managed through trustee assignments and are not settable through chmod. Therefore, the file or directory ownership, visible when listing files from a terminal, has no real relevance to the permissions users have to the object. Because the ownership does not matter, it is also not necessary to specify the user, group, and other permissions when assigning file attributes on an NSS volume through chmod. Specifying the file attributes using the user owner field only is sufficient.

In other words, on a traditional Linux filesystem, chmod 700 would give the user owner full permissions to the file and no permissions would be granted to the group owner or other category of users. That same command on an NSS volume would assign specific attributes on the file, for all trustees of the file. Displaying the file using the ls command would also display these attributes as though all categories of users were assigned the attributesnot just the user owner category. The end result of this is that the chmod 700 command produces the same attribute assignment as chmod 755, or chmod 722.

Setting NSS file attributes using chmod relies on the same octal system when used on traditional filesystems. Possible combinations of attributes are listed in Table 11.4.

Table 11.4. POSIX Representations of NSS File and Directory Attributes
OCTAL CODE OF ATTRIBUTES	FILE MODE DISPLAY	ENABLED NSS ATTRIBUTES	DESCRIPTION
`000`	`------`	Hidden Read-Only	Prevents files from being displayed (from NCP clients) or modified.
`100`	`xxx This must say hyphen-hyphen-x three times - as in: xxx`	Hidden Read-Only	Prevents directory contents from being displayed (from NCP clients) or modified.
`400`	`rrr This must say r-hypen-hypen three times - as in: rrr`	Read-Only	Allows files to be read, but does not allow modification.
`500`	`r-xr-xr-x`	Read-Only Execute	Allows files to be read and executed. No modification is allowed. Allows directories to be entered and renamed. Directory contents can be displayed, but cannot be modified.
`600`	`rw-rw-rw-`	Read-Write	Allows files to be read and modified.
`700`	`rwxrwxrwx`	Read-Write Execute	Allows files to be read, modified, and executed. Allowed directories to be entered, renamed, or deleted. Directory contents can be listed and modified.

NOTE

The chmod permissions of 200 and 300 are not designed to be used. They create a hidden file that can be written to with the proper trustee assignments, but they offer no benefit over the 000 setting.

There are additional NSS attributes, which can be used for specific requirements. These attributes can be set or adjusted using NetStorage, or the NSS command line utility /sbin/attrib. Although you can set these additional attributes on files and directories, some attributes are only applicable to one or the other. A list of commonly used NSS attributes can be found in Table 11.5.

Table 11.5. Common NSS File and Directory Attributes
ATTRIBUTE	FILE	DIRECTORY	DESCRIPTION
Read-Only	X	X	Allows the file to be opened and read, but not modified. Assigning the Read-only attribute automatically assigns Delete inhibit and Rename inhibit.
Archive	X		Indicates that the file has been changed since the last time it was backed up.
Hidden	X	X	Hides the file or directory so that it isn't listed by NCP- based connections, such as the Windows File Manager, and can't be copied or deleted.
Sharable	X		Allows the file to be used by more than one user simultaneously. Useful for utilities, commands, applications, and some database files. Most data and work files should not be sharable, so that users' changes do not conflict.
Transactional	X		When used on database files, allows Novell's Transaction Tracking System (TTS) to protect the files from being corrupted if the transaction is interrupted.
Purge Immediate	X	X	Purges the file or directory immediately upon deletion. Purged files can't be salvaged.
Compress Immediate	X	X	Compresses the file or directory immediately.
Do Not Compress	X	X	Prevents the file or directory from being compressed.
Rename Inhibit	X	X	Prevents users from renaming the file or directory.
Delete Inhibit	X	X	Prevents users from deleting the file or directory.
Copy Inhibit	X	X	Prevents the file or directory from being copied.
Compressed	X		This attribute is not settable by users. It is set by NSS itself to indicate that a file has been compressed. This option is only valid for volumes supporting compression.

To assign advanced NSS attributes to a file or directory using NetStorage, complete the following steps:

1.	Launch NetStorage by accessing the following URL: http://<OES_Server_IP_Address_Or_DNS_Name>/NetStorage/
2.	Enter your user credentials and click OK. Using an eDirectory administrator will allow you to adjust attributes on any NSS file.
3.	Use the left-hand navigation frame to locate the `NSS_Volumes` folder. All NSS volumes should be listed beneath this folder. Expand the folder structure under the desired NSS volume to locate the directory where file attributes are to be adjusted.
4.	Select the check box by file or directory in the right-hand pane, and then select File, Properties. NSS Attributes will be displayed on the NetWare Info tab as shown in Figure 11.8. Check the desired attributes and select Apply. Figure 11.8. Working with file and directory attributes in NetStorage.
5.	Click Close to return to the main NetStorage window.

It is also possible to use the terminal-based utility /sbin/attrib to set file and directory attributes. This utility can be used to set advanced attributes not listed off in Table 11.5. For information on using this utility, execute /sbin/attrib help, or see the online OES documentation. For additional information on NetStorage, see Chapter 12.

Filesystem Trustee Rights

Table 11.2. Filesystem Rights

INHERITING FILESYSTEM RIGHTS

FILESYSTEM SECURITY EQUIVALENCE

FILESYSTEM EFFECTIVE RIGHTS

WORKING WITH FILESYSTEM TRUSTEE RIGHTS

MANAGING RIGHTS WITH THE NOVELL CLIENT

Figure 11.7. Working with filesystem trustee rights through the Novell Client.

MANAGING TRUSTEES AT THE COMMAND LINE

File and Directory Attributes

Table 11.3. File and Directory Attributes

Table 11.4. POSIX Representations of NSS File and Directory Attributes

Table 11.5. Common NSS File and Directory Attributes

Figure 11.8. Working with file and directory attributes in NetStorage.